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INSPECTOR  GENERAL 

DEPARTMENT  OF  DEFENSE 

4800  MARK  CENTER  DRIVE 
ALEXANDRIA,  VIRGINIA 22350-1 500 

December  1,  2014 

MEMORANDUM  FOR  DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 

SUBJECT:  Quality  Control  Review  of  the  Defense  Finance  and  Accounting  Service  Internal 
Audit  Organization  (Report  No.  DODIG-2015-043) 

We  are  providing  this  report  for  your  review  and  comment.  We  reviewed  the  system  of 
quality  control  for  the  internal  audit  organization,  Defense  Finance  and  Accounting  Service 
Office  of  Internal  Review  (DFAS  IR),  in  effect  for  the  period  ended  June  30,  2014.  The 
generally  accepted  government  auditing  standards  (GAGAS)  require  that  an  audit  organization 
performing  audits  and/or  attestation  engagements  in  accordance  with  GAGAS  have  an 
appropriate  internal  quality  control  system  in  place  and  undergo  an  external  peer  review  at 
least  once  every  3  years  by  reviewers  independent  of  the  audit  organization  being  reviewed. 

As  the  organization  that  has  audit  policy  and  oversight  responsibilities  for  audits  in  the  DoD, 
we  conducted  the  external  quality  control  review  of  the  DFAS  IR  audits  and  attestations.  Our 
quality  control  review  was  conducted  in  accordance  with  the  Council  of  the  Inspectors  General 
on  Integrity  and  Efficiency  (CIGIE)  Quality  Standards 

An  audit  organization’s  quality  control  policies  and  procedures  should  be  appropriately 
comprehensive  and  suitably  designed  to  provide  reasonable  assurance  of  meeting  the 
objectives  of  quality  control.  We  tested  the  DFAS  IR  system  of  quality  control  for  audits  to  the 
extent  considered  appropriate. 

Federal  audit  organizations  can  receive  a  rating  of  pass,  pass  with  deficiencies,  or  fail.  In  our 
opinion,  except  for  the  deficiencies  described  in  Appendix  A,  the  system  of  quality  control  for 
the  internal  audit  function  of  DFAS  in  effect  for  the  period  ending  June  30,  2014,  was  designed 
in  accordance  with  quality  standards  established  by  GAGAS.  Accordingly,  we  are  issuing  a 
pass  with  deficiencies  on  the  DFAS  IR  quality  control  system  for  the  review  period  ended 
June  30,  2014. 

Appendix  A  contains  deficiencies  that  provide  for  the  basis  for  the  opinion  rendered,  and 
Appendix  B  contains  other  findings  that  warrant  disclosure  where  DFAS  IR  can  improve  its 
quality  control  system.  Appendix  C  contains  a  summary  of  the  results  of  our  interviews  with 
the  DFAS  IR  audit  staff.  Appendix  D  contains  the  scope  and  methodology  of  the  review. 

We  considered  management  comments  on  a  draft  of  this  report  when  preparing  the  final 
report.  DoD  Directive  7650.3  requires  that  recommendations  be  resolved  promptly. 

Comments  from  the  Director,  Defense  Finance  and  Accounting  Service,  were  generally 
responsive;  however,  comments  on  Recommendation  4a  were  only  partially  responsive. 
Therefore,  we  request  additional  comments  on  Recommendation  4a  by  December  17,  2014. 

Please  send  a  PDF  file  containing  your  comments  to  the  email  address  provided  below. 

Copies  of  your  comments  must  have  the  actual  signature  of  the  authorizing  official  for  your 
organization.  We  cannot  accept  the  /Signed/  symbol  in  place  of  the  actual  signature.  If  you 
arrange  to  send  classified  comments  electronically,  you  must  send  them  over  the  SECRET 
Internet  Protocol  Router  Network  (SIPRNET). 
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We  appreciate  the  courtesies  extended  to  the  staff.  Please  provide  comments  to 
the  final  report  by  December  17,  2014.  For  additional  information  on  this  report, 
please  contact  Ms.  Carolyn  R.  Davis  at  (703)  604-8877  (DSN  664-8877)  or 

Carolyn.Davis@dodig.mil. 


7, 

Randolph  R.  Stone 
Deputy  Inspector  General 
Policy  and  Oversight 
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Introduction 

Defense  Finance  and  Accounting  Service 

The  Defense  Finance  and  Accounting  Service  (DFAS)  is  the  world’s  largest  finance 
and  accounting  operation.  DFAS  pays  DoD  military  and  civilian  personnel,  retirees 
and  annuitants,  as  well  as  major  DoD  contractors  and  vendors.  DFAS  also  supports 
customers  outside  of  the  Department  of  Defense,  to  include  the  Executive  Office  of 
the  President,  Department  of  Veterans  Affairs,  and  the  Department  of  Health  and 
Human  Services.  In  FY  2013,  DFAS: 

•  processed  161.8  million  pay  transactions  (6.6  million  people/accounts), 

•  made  6  million  travel  payments, 

•  paid  10.3  million  commercial  invoices, 

•  maintained  270.4  million  General  Ledger  accounts, 

•  managed  $700  billion  in  Military  Retirement  and  Health  Benefits  Funds, 

•  made  $579  billion  in  disbursements, 

•  managed  $403  billion  in  Foreign  Military  Sales  (reimbursed  by  foreign 
governments),  and 

•  accounted  for  1,232  active  DoD  appropriations. 

DFAS  Internal  Review  Organization 

DFAS  Office  of  Internal  Review  (IR)  is  an  independent  office  within  DFAS  that 
provides  responsive,  professional,  and  objective  services  to  enhance  DFAS 
stewardship  and  value  to  its  customers.  DFAS  IR  examines  programs,  systems, 
and  processes  and  provides  information,  analyses,  recommendations,  and  other 
assistance  applicable  to  DFAS  management's  objectives.  The  Director,  DFAS  IR, 
reports  directly  to  the  Principal  Deputy  Director,  DFAS.  The  DFAS  IR  audit 
organization  has  offices  in  Columbus,  Ohio;  Cleveland,  Ohio;  and  Indianapolis, 
Indiana.  Additional  details  on  the  DFAS  IR  organization  and  the  scope  and 
methodology  for  this  review  are  contained  at  Appendix  D. 
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Appendix  A 

Deficiencies  that  Provide  the  Basis  for  the 
Opinion  Rendered 

With  the  exception  of  a  few  areas,  the  DFAS  IR’s  system  of  quality  control  was 
suitably  designed.  Generally  accepted  government  auditing  standards  (GAGAS) 

3.84  requires  that  each  audit  organization  document  its  quality  control  policies  and 
procedures  and  communicate  those  policies  and  procedures  to  its  personnel.  DFAS 
IR  established  its  quality  control  system  in  its  DFAS  IR  Audit  Manual.  We  identified 
areas  in  the  Audit  Manual  that  needed  improvement: 

•  assessing  the  impact  of  performing  nonaudit  services, 

•  applying  safeguards  to  eliminate  or  reduce  threats  to  independence, 

•  accessing  and  updating  audit  documentation1  after  report  issuance, 

•  obtaining  sufficient  and  appropriate  audit  evidence,  and 

•  performing  agreed-upon  procedure  (AUP)  engagements. 

Assessing  the  Impact  of  Performing  Nonaudit  Services 

In  accordance  with  GAGAS  2.13,  when  audit  organizations  provide  nonaudit 
services  to  entities  for  which  they  also  provide  GAGAS  audits,  they  should  assess 
the  impact  that  providing  those  nonaudit  services  may  have  on  the  independence 
of  the  auditor  and  the  audit  organization  and  respond  to  any  identified  threats  to 
independence.  Based  on  our  review,  we  determined  that  DFAS  IR  did  not  properly 
assess  the  impact  of  providing  nonaudit  services,  nor  did  they  adequately  respond 
to  identified  threats  to  independence  (see  additional  details  in  the  Applying 
Safeguards  to  Eliminate  or  Reduce  Threats  to  Independence  section). 

Furthermore,  DFAS  IR  did  not  maintain  a  listing  of  nonaudit  services  that  impacted 
the  current  review  period.  GAGAS  3.43  states  that  nonaudit  services  provided  by 
auditors  can  impact  independence  in  mind  and  in  appearance  in  periods  subsequent 
to  the  period  in  which  the  nonaudit  service  was  provided.  Therefore,  it  is 
imperative  that  audit  staff  be  aware  of  any  nonaudit  services  provided.  The  failure 
to  properly  assess  the  impact  of  nonaudit  services  on  current  and  future  work  and 
the  failure  to  adequately  respond  to  identified  threats  to  independence  could  result 
in  independence  impairments  in  both  current  and  subsequent  periods. 

Additionally,  we  determined  that  DFAS  IR’s  policies  and  procedures  related  to 
nonaudit  services  did  not  include  additional  requirements  as  outlined  in  the  DoD 


1  The  term  audit  documentation  refers  to  working  papers  in  performance  audits  and  attestation  engagements. 
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Manual  (DoDM)  7600. 07-M,  "DoD  Audit  Manual,”  February  13,  2009,  Enclosure  9, 
"Conducting  Nonaudit  Services."  Specifically,  the  DFAS  IR  policies  and  procedures 
did  not  include  specific  requirements  for  performing  nonaudit  services  that  are 
not  expressly  prohibited  by  GAGAS.  DoDM  7600. 07-M,  Enclosure  9,  identifies  those 
types  of  nonaudit  services  as  "Other  than  Routine  Nonaudit  Services." 

Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  1 

We  recommend  that  the  Director,  DFAS: 

(a)  Revise  the  DFAS  IR  Audit  Manual  to  provide  required  guidance 
on  the  performance  of  nonaudit  services,  including  the  additional 
requirements  in  DoDM  7600. 07-M,  Enclosure  9,  "Conducting  Nonaudit 
Services"  for  "Other  than  Routine  Nonaudit  Services." 

DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  will  incorporate  the  additional  nonaudit 
services  requirements  from  DoDM7600.07-M  Enclosure  9, "Conducting  Nonaudit 
Services,”  for  "Other  that  Routine  Nonaudit  Services"  into  Chapter  2  of  the  IR 
Audit  Manual. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

(b)  Maintain  a  list  of  nonaudit  services  performed  along  with  the  time 
period  of  the  service  to  assist  in  making  sound  decisions  on  services 
to  accept. 

DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  established  a  list  of  nonaudit  services  with 
the  time  period  performed  to  record  and  track  those  services.  The  list  of  nonaudit 
services  is  available  for  all  audit  staff  to  review  so  they  are  aware  of  which 
nonaudit  services  DFAS  IR  performed. 

Our  Response 

DFAS  are  responsive.  No  additional  comments  are  needed. 
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Applying  Safeguards  to  Eliminate  or  Reduce  Threats 
to  Independence 

GAGAS  3.02  states,  "in  all  matters  relating  to  the  audit  work,  the  audit  organization 
and  the  individual  auditor,  whether  government  or  public,  must  be  independent." 
GAGAS  3.04  states  in  part  "that  auditors  and  audit  organizations  maintain 
independence  so  that  their  opinions,  findings,  conclusions,  judgments,  and 
recommendations  will  be  impartial  and  viewed  as  impartial  by  reasonable  and 
informed  third  parties."  For  two  of  the  eight  engagements,  DFAS  IR  did  not  apply 
appropriate  safeguards  designed  to  eliminate  or  reduce  threats  to  independence  to 
an  acceptable  level  in  accordance  with  GAGAS  3.16. 

In  Project  No.  CO12PRC010TX,  we  determined  that  DFAS  IR  did  not  apply  the 
appropriate  safeguards  to  eliminate  multiple  independence  threats  or  reduce  them 
to  an  acceptable  level  in  accordance  with  GAGAS  3.16.  In  this  engagement,  the 
Deputy  Director,  Columbus,  and  the  Audit  Client  Executive  documented  a  threat  to 
independence  because  they  provided  direction  in  a  nonaudit  service  (IR  End-to-End 
Assessment  of  DFAS  Texarkana  Operations).  The  DFAS  IR  Director  did  not  apply 
appropriate  safeguards  when  he  decided  to  mitigate  the  threats  to  independence  by 
having  the  Deputy  Director,  Columbus,  and  the  Audit  Client  Executive  oversee  each 
other’s  decisions.  During  the  performance  of  the  audit,  the  Audit  Client  Executive 
documented  a  second  threat  to  independence  because  she  was  planning  to  transfer 
to  the  DFAS  supporting  component  that  was  directly  related  to  the  subject  of  the 
audit.  The  DFAS  IR  Director  documented  that  he  would  assess  the  direction  of  the 
audit  and  make  all  final  decisions  on  the  direction  of  the  audit;  however,  we  did  not 
find  evidence  to  support  that  assertion. 

Lastly,  for  Project  No.  13INAA005,  AUP  engagement,  a  DFAS  IR  auditor  performed 
procedures  on  the  debt  portion  of  the  AUP  engagement  despite  identifying  and 
reporting  both  a  familiarity  and  undue  influence  threat  on  his  independence 
statement.  DFAS  IR  management  concurred  with  the  auditor’s  assessment,  and  the 
Audit  Manager  decided  to  eliminate  the  threat  to  independence  by  documenting 
that  the  auditor  would  not  work  on  the  debt  portion  of  the  assignment.  However, 
the  attest  documentation  showed  that  the  auditor  participated  in  performing 
procedures  related  to  debt  cycles.  During  our  site  visit,  the  Audit  Manager  clarified 
his  written  statement  by  stating  that  his  written  statement  was  intended  to 
indicate  that  the  auditor  would  not  be  performing  any  procedures  where  specific 
debt  transactions  were  assessed  that  related  to  the  familiarity  and  undue  influence 
threats.  We  don’t  know  how  the  Audit  Manager  would  be  able  to  differentiate 
the  debt  transactions  that  related  to  the  familiarity  and  undue  influence  threats 
and  those  that  did  not.  We  determined  that  DFAS  IR  management  did  not  apply 
appropriate  safeguards. 
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Recommendations,  Management  Comments,  and 
Our  Reponse 

Recommendation  2 

We  recommend  that  the  Director,  DFAS: 

(a)  Revise  the  DFAS  IR  Audit  Manual  to  include  examples  of  appropriate 
ways  to  mitigate,  reduce,  or  eliminate  threats  to  independence. 

DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  will  incorporate  examples  of  appropriate  ways 
to  mitigate,  reduce,  or  eliminate  threats  to  independence  into  the  IR  Audit  Manual. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

(b)  Provide  training  on  the  execution  and  implementation  of  the  GAGAS 
Conceptual  Framework  Approach  to  Independence. 

DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  will  provide  training  to  all  audit  staff  on 
the  proper  execution  and  implementation  of  the  GAGAS  Conceptual  Framework 
Approach  to  Independence. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

Accessing  and  Updating  Audit  Documentation  after 
Report  Issuance 

GAGAS  3.92  states, 

when  performing  GAGAS  audits,  audit  organizations  should  have 
policies  and  procedures  for  the  safe  custody  and  retention  of  audit 
documentation  for  a  time  sufficient  to  satisfy  legal,  regulatory,  and 
administrative  requirements  for  records  retention  ....  For  audit 
documentation  that  is  retained  electronically,  the  audit  organization 
should  establish  effective  information  systems  controls  concerning 
accessing  and  updating  the  audit  documentation. 

We  observed  that  DFAS  IR  did  not  have  policies  and  procedures  for  handling 
changes  to  audit  documentation  after  audit  report  issuance.  DoDM  7600. 07-M, 
Enclosure  13,  “Audit  Documentation,"  states  that  to  ensure  the  integrity  of  the  audit 
data,  DoD  audit  organizations  should  develop  policies  and  procedures  for  handling 
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changes  to  audit  documentation  after  they  issue  the  audit  report.  DFAS  IR  audit 
staff  edited  or  created  audit  documentation  after  the  final  report  was  issued  as 
shown  in  Table  1. 


Table  1.  Audit  Documentation  Edited  or  Created  after  Final  Report  Issuance. 


Project  Number 

Total  Audit 
Documents 

Non- 

Administrative 
Audit  Documents 
Dated  After  Final 
Report  Date 

Administrative 
Audit  Documents 
Dated  After  Final 
Report  Date 

Total  Audit 
Documents 
Dated  After 
Final  Report 
Date 

13INAA005* 

453 

22 

35 

57 

IN12PRS004DFAS 

1,103 

8 

38 

46 

13INAA012* 

153 

37 

34 

71 

13INPA008 

573 

8 

6 

14 

CO12PRC010TX 

414 

4 

4 

8 

13COPA001 

372 

0 

7 

7 

13COPA003 

264 

2 

7 

9 

CL12PRA009DFAS 

881 

2 

19 

21 

*See  additional  details  in  the  Performing  Agreed-Upon  Procedures,  Dating  of  Agreed-Upon 
Procedure  Reports  section  in  this  appendix. 


GAGAS  3.92  states  in  part,  "For  audit  documentation  that  is  retained  electronically, 
the  audit  organization  should  establish  effective  information  systems  controls 
concerning  accessing  and  updating  the  audit  documentation.” 

Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  3 

We  recommend  that  the  Director,  DFAS: 

(a)  Revise  the  DFAS  IR  Audit  Manual  in  accordance  with  DoDM  7600.07, 
Enclosure  13,  "Audit  Documentation”  to  include  requirements  for 
accessing  and  updating  audit  documentation  after  the  final  audit 
report  is  issued  whether  the  audit  documentation  is  in  electronic,  or 
hardcopy,  or  any  other  media. 

DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  will  incorporate  into  the  DFAS  IR  Audit  Manual 
the  requirements  for  assessing  and  updating  audit  documentation  after  the  final 
audit  report  is  issued  whether  the  audit  documentation  is  in  electronic,  hardcopy,  or 
any  other  media  in  accordance  with  DoDM  7600. 07-M,  "Audit  Policies,"  Enclosure  13, 
"Audit  Documentation." 
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Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

(b)  Provide  training  consistent  with  the  requirements  of  DoDM  7600.07, 
Enclosure  13,  “Audit  Documentation”  for  accessing  and  updating  audit 
documentation  after  the  final  audit  report  is  issued. 

DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  will  provide  training  to  all  audit  staff  on 
the  requirements  for  assessing  and  updating  audit  documentation  after  the  final 
audit  report  is  issued  consistent  with  the  requirements  of  DoDM  7600. 07-M,  "Audit 
Policies,"  Enclosure  13,  "Audit  Documentation." 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

Obtaining  Sufficient  and  Appropriate  Evidence 

GAGAS  6.56  states  that  auditors  must  obtain  sufficient,  appropriate  evidence 
to  provide  a  reasonable  basis  for  their  findings  and  conclusions.  In  two  of  the 
six  performance  audits  selected,  inappropriate  or  insufficient  evidence  was  used 
to  support  reported  findings. 

Consideration  of  Audit  Risk 

For  Project  No.  CL12PRA009DFAS,  the  audit  staff  used  a  minimum  sample  size 
for  each  of  the  nine  samples  without  considering  audit  risk.  The  impact  to  the 
engagement  was  that  the  audit  staff  may  have  reached  incorrect  or  improper 
conclusions  (GAGAS  6.71b).  GAGAS  6.71b  states,  in  part,  "evidence  is  not  sufficient 
or  not  appropriate  when  (1)  using  the  evidence  carries  an  unacceptably  high 
risk  that  it  could  lead  the  auditor  to  reach  an  incorrect  or  improper  conclusion.” 
Because  the  audit  staff  did  not  appropriately  assess  audit  risk  when  selecting  the 
sampling  parameters,  there  is  no  assurance  that  the  staff  obtained  sufficient  and 
appropriate  evidence  to  support  the  reported  findings  and  conclusions  in  relation 
to  the  audit  objectives  in  accordance  with  GAGAS  6.10.  GAGAS  6.10  states,  in 
part,  "...auditors  should  design  the  methodology  to  obtain  reasonable  assurance 
that  the  evidence  is  sufficient  and  appropriate  to  support  the  auditors’  findings 
and  conclusions  in  relation  to  the  audit  objectives  and  to  reduce  audit  risk  to  an 
acceptable  level." 

For  Project  No.  IN12PRS004DFAS,  the  audit  staff  did  not  perform  a  comprehensive 
assessment  of  audit  risk.  The  staff  did  not  appropriately  identify  the  sources  of 
audit  evidence,  within  the  context  of  the  audit  objective,  and  determine  the  amount 
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and  type  of  evidence  needed  given  audit  risk  and  significance.  This  led  to  the 
audit  staff  performing  procedures  outside  the  scope  of  the  audit.  For  example,  one 
audit  procedure  required  the  audit  staff  to  verify  supporting  documents  for  death 
gratuity  payments  at  DFAS.  In  addition  to  verifying  the  supporting  documents, 
the  audit  staff  performed  unnecessary  verifications  at  the  military  commands  and 
Department  of  Veterans  Affairs.  GAGAS  6.09  states  in  part, 

the  scope  defines  the  subject  matter  that  the  auditors  will  assess 
and  report  on,  such  as  a  particular  program  or  aspect  of  a  program, 
the  necessary  documents  or  records,  the  period  of  time  reviewed, 
and  the  locations  that  will  be  included. 

In  performing  unrelated  procedures,  the  audit  staff  utilized  inappropriate  audit 
evidence  and  wasted  audit  resources. 

Reliance  on  Computer-Processed  Data 

For  Project  No.  CL12PRA009DFAS,  the  audit  staff  determined  that  they  did  not  need 
to  assess  the  reliability  of  computer-processed  data.  The  audit  staff  used  journal 
voucher  logs  to  materially  support  the  findings,  conclusions,  and  recommendations, 
but  the  staff  did  not  assess  the  sufficiency  and  appropriateness  of  journal  voucher 
logs  in  accordance  with  GAGAS  6.66.  GAGAS  6.66  states,  in  part,  "auditors  should 
assess  the  sufficiency  and  appropriateness  of  computer-processed  information 
regardless  of  whether  this  information  is  provided  to  auditors  or  auditors 
independently  extract  it."  The  July  2009  Government  Accountability  Office  (GAO) 
Report  No.  GAO  09-680G,  "Assessing  the  Reliability  of  Computer-Processed  Data," 
states,  "you  should  assess  reliability  if  the  data  to  be  analyzed  are  intended  to 
materially  support  your  findings,  conclusions,  or  recommendations."  Further,  "in 
your  audit  plan,  you  should  discuss  briefly  how  you  plan  to  assess  data  reliability, 
as  well  as  any  limitations  that  may  exist  because  of  shortcomings  in  the  data.” 
When  the  audit  staff  decided  not  to  assess  the  reliability  of  computer-processed 
data,  they  did  not  obtain  appropriate  evidence  to  support  their  findings 
and  conclusions. 
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Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  4 

We  recommend  that  the  Director,  DFAS: 

(a)  Revise  the  DFAS  IR  Audit  Manual  to  add  procedures  on  how  to 
effectively  develop  and  implement  audit  risk  assessments. 

DFAS  Comments 

The  Director,  DFAS  partially  agreed.  DFAS  IR  will  review  the  IR  Audit  Manual 
and  determine  whether  additional  procedures  are  necessary  on  how  to  effectively 
develop  and  implement  audit  risk  assessments.  DFAS  IR  asserted  that  our  review 
was  based  on  older  versions  (2013  and  2012)  of  the  IR  Audit  Manual  and  did  not 
identify  audit  risk  assessment  concerns  for  audits  planned  using  current  risk 
assessment  procedures  in  the  February  28,  2014  IR  Audit  Manual. 

Our  Response 

The  Director’s  comments  are  partially  responsive.  Our  findings  took  into 
consideration  the  current  version  of  the  IR  Audit  Manual  which  had  the  same 
procedures  for  audit  risk  as  the  prior  version  of  the  IR  Audit  Manual  dated  June 
28,  2013.  Because  the  procedures  in  the  current  version  are  the  same  as  those  in 
the  prior  version,  we  evaluated  those  procedures  for  audits  issued  for  the  period  in 
effect  (July  1,  2013  to  June  30,  2014)  on  which  our  findings  are  based.  We  request 
that  DFAS  reconsider  its  position  and  provide  additional  comments. 

(b)  Provide  training  on  the  documentation  of  audit  risk. 

DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  will  provide  training  to  all  audit  staff  on  the 
proper  documentation  of  audit  risk  to  demonstrate  compliance  with  GAGAS  6.07 
and  the  DFAS  IR  Audit  Manual. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

Performing  Agreed-Upon  Procedure  Engagements 

We  selected  two  Agreed-Upon  Procedure  (AUP)  engagements  for  our  review. 

We  identified  significant  noncompliances  in  conducting  and  reporting  of  these 
engagements  in  the  areas  of  understanding  the  auditor’s  role  in  performing 
an  AUP  engagement,  the  dating  of  the  report,  and  obtaining  a  management 
representation  letter. 
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Auditor’s  Role  in  Performing  an  AUP  Engagement 

For  Project  No.  13INAA005,  the  audit  staff  assumed  the  role  of  DFAS  management 
by  inappropriately  making  decisions  about  the  procedures  that  were  specified  in 
the  engagement.  The  true  universe  of  the  population  within  the  scope  period  was 
unknown;  therefore,  DFAS  management  could  not  establish  appropriate  sampling 
parameters  for  DFAS  IR  to  execute.  The  American  Institute  of  Certified  Public 
Accountants  (AICPA)  AT2  201.16  states  the  practitioner  (auditor)  should  not  agree 
to  perform  procedures  that  are  overly  subjective  and  thus  possibly  open  to  varying 
interpretations.  Examples  of  appropriate  procedures  include  the  execution  of  a 
sampling  application  after  agreeing  on  relevant  parameters  (AT  201.17).  DFAS  IR 
and  DFAS  management  failed  to  agree  on  relevant  sampling  parameters  before 
executing  the  sampling  application. 

Dating  of  AUP  Reports 

AICPA  AT  201.34  states  that  the  date  of  completion  of  the  AUPs  should  be  used  as 
the  date  of  the  practitioner’s  report.  For  both  AUP  engagements,  the  DFAS  IR  audit 
staff  dated  the  final  report  as  of  the  last  day  of  performance  of  the  procedures.  As 
a  result,  a  significant  number  of  documents  were  prepared,  edited,  and/or  reviewed 
after  the  report  date  (see  additional  details  in  the  Accessing  and  Updating  Audit 
Documentation  after  Report  Issuance  section  in  this  appendix).  Additionally,  there 
is  a  significant  gap  between  the  report  date  and  the  date  of  issuance  as  shown  in 
Table  2. 


Table  2.  Time  Elapses  Between  Report  Date  and  Date  of  Issuance 


Project  Number 

Report  Date 

Date  of  Issuance 

13INAA012 

December  10,  2013 

January  17,  2014 

13INAA005 

August  27,  2013 

September  18,  2013 

For  any  AUP  engagement,  the  procedures  agreed  upon  should  include  the  time 
necessary  to  assess  and  report  on  the  procedures.  If  reporting  is  not  explicitly 
stated  within  the  AUP,  then  it  should  be  implied  as  part  of  performance  of  the  AUP. 
Therefore,  the  date  of  the  practitioner’s  report  should  reflect  any  time  necessary 
for  reporting  on  the  procedures. 

Obtaining  a  Management  Representation  Letter 

For  Project  No.  13INAA012,  the  auditors  did  not  obtain  written  representations 
from  DFAS  management  in  accordance  with  AT  601.11.  AT  601.11  states  that 


2  The  prefix  AT  is  used  for  Statements  on  Standards  for  Attestation  Engagements  and  Attestation  Engagement 
interpretations  in  the  AICPA  standards. 
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as  part  of  performing  an  engagement,  the  practitioner  should  obtain  from 
the  responsible  party  a  written  assertion  about  compliance  with  specified 
requirements  or  internal  control  over  compliance.  The  DFAS  IR  audit  staff  did  not 
obtain  written  representations  from  the  responsible  party,  DFAS  management,  even 
though  a  written  assertion  was  required  to  conduct  the  AUP  engagement. 

Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  5 

We  recommend  that  the  Director,  DFAS: 

(a)  Revise  the  DFAS  IR  Audit  Manual,  dated  February  28,  2014,  Chapter  6, 
"Agreed-Upon  Procedures  Attestations,”  to  include  guidance  that  for 
any  AUP  engagement,  the  procedures  agreed  upon  should  include  the 
time  necessary  to  assess  and  report  on  the  procedures. 

DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  will  incorporate  into  Chapter  6  of  the  IR  Audit 
Manual  guidance  that  for  any  AUP  engagement,  the  procedures  agreed  upon  should 
include  the  time  necessary  to  assess  and  report  on  the  procedures. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

(b)  Update  the  DFAS  IR  Audit  Manual,  dated  February  28,  2014, 

Chapter  6,  "Agreed-Upon  Procedures  Attestations,"  to  provide 
additional  guidance  on  Compliance  Attestation  engagements  and  the 
requirement  to  obtain  written  representations  from  the  responsible 
party  in  accordance  with  AT  601.68. 

DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  will  incorporate  into  the  IR  Audit  Manual 
guidance  on  AUP  Compliance  Attestation  engagement,  and  the  requirement  to 
obtain  written  representations  from  the  responsible  parties  in  accordance  with  AT 
601.68  into  the  IR  Audit  Manual. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

(c)  Provide  training  to  all  DFAS  IR  audit  staff  on  performing  and 
reporting  on  AUP  engagements  conducted  in  accordance  with  GAGAS. 
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DFAS  Comments 

The  Director,  DFAS  agreed.  DFAS  IR  will  provide  training  to  all  audit  staff  on 
properly  performing  and  reporting  on  AUP  engagements  in  accordance  with  GAGAS 
and  the  DFAS  IR  Audit  Manual. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 
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Other  Findings  that  Warrant  Disclosure 

We  identified  areas  of  concern  that  showed  evidence  of  noncompliance  in  some 
additional  areas.  However,  these  areas  of  noncompliance  were  not  considered 
to  be  significant  and  did  not  affect  the  opinion  rendered,  but  due  to  the 
relative  importance  to  the  audit  organization’s  system  of  quality  control,  they 
warrant  disclosure. 

Reliance  on  the  Work  of  Other  Auditors 

GAGAS  6.40  states  that  auditors  should  determine  whether  other  auditors  have 
conducted,  or  are  conducting,  audits  of  the  program  that  could  be  relevant  to  the 
current  audit  objectives.  Furthermore,  in  accordance  with  GAGAS  6.41,  if  auditors 
use  the  work  of  other  auditors,  they  should  perform  procedures  that  provide  a 
sufficient  basis  for  using  that  work.  For  Project  No.  13INPA008,  the  audit  staff 
placed  reliance  on  an  audit  performed  by  an  external  auditing  firm.  However,  the 
staff  did  not  obtain  evidence  concerning  the  qualifications  and  independence  of  the 
external  auditing  firm.  Also,  the  staff  did  not  document  that  the  scope,  quality,  and 
timing  of  the  audit  work  performed  by  the  external  auditing  firm  could  be  relied 
upon  as  required  by  GAGAS  6.41.  Moreover,  the  audit  staff  did  not  adhere  to  DFAS 
IR’s  Audit  Manual,  dated  June  28,  2013,  Section  3.20,  which  states,  in  part,  the 
audit  staff 


must  obtain  evidence  concerning  the  other  auditors’  qualifications, 
independence,  and  should  determine  whether  the  scope,  quality, 
and  timing  of  the  audit  work  performed  by  the  other  auditors  is 
adequate  for  reliance  in  the  context  of  the  current  audit  objectives... 

Working  papers  must  support  the  reliance  of  other’s  work  or  not,  as 
applicable  to  the  objectives  of  the  audit. 

The  failure  of  the  DFAS  IR  audit  staff  to  obtain  evidence  concerning  the  other 
auditors’  qualifications  and  independence  could  result  in  DFAS  IR  relying  on 
inadequate  audit  work. 

Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  6 

We  recommend  that  the  Director,  DFAS  IR,  issue  a  memorandum  to  DFAS  IR 
personnel  reinforcing  the  GAGAS  and  DFAS  IR  Audit  Manual  requirements 
when  using  the  work  of  other  auditors. 
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DFAS  Comments 

The  Director,  DFAS  IR,  agreed.  The  Director  DFAS  IR,  issued  a  memorandum  to 
DFAS  IR  audit  staff  reinforcing  the  GAGAS  and  DFAS  IR  Audit  Manual  requirements 
when  using  the  work  of  others. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

Omission  of  Performance  Aspects  from  Performance 
Audit  Objectives 

GAGAS  6.08  states  that  the  objectives  are  what  the  audit  is  intended  to  accomplish. 
The  audit  objectives  identify  the  audit  subject  matter  and  performance  aspects 
to  be  included,  and  may  also  include  the  potential  findings  and  reporting 
elements  that  the  auditors  expect  to  develop.  The  specific  objective  of  Project 
No.  C012PRC010TX  was  to  "determine  the  effect  the  lack  of  segregation  of  duties 
and  system  management  controls  has  on  the  DFAS  Texarkana  Vendor  Pay  and 
Payroll  functions."  Based  on  our  review,  we  determined  that  the  objective  was  a 
preconceived  conclusion  from  work  previously  performed.  DFAS  IR  did  not  develop 
an  objective  that  met  the  criteria  of  GAGAS  6.08  as  the  audit  staff  did  not  identify 
the  performance  aspects  to  be  included.  This  potentially  resulted  in  the  staff 
expending  audit  resources  that  could  have  been  put  to  better  use.  Additionally, 
this  is  contrary  to  DFAS  IR’s  Audit  Manual,  dated  June  28,  2013,  Section  3.07, 
which  states  the  audit  objectives  "must  identify  the  subject  of  the  audit  matter 
and  the  performance  aspects  to  be  reviewed.”  The  Audit  Manual  further  states, 
in  Section  3.07.01,  that  "to  clearly  communicate  expectations,  the  audit  objectives 
must  be  answerable,  identifying  the  audit  subject,  performance  aspect  reviewed, 
and  the  finding  and  reporting  elements  the  auditors  expect  to  develop." 
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Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  7 

We  recommend  that  the  Director,  DFAS  IR,  issue  a  memorandum  to  DFAS  IR 
personnel  reiterating  the  GAGAS  and  DFAS  IR  Audit  Manual  requirements  that 
the  audit  objectives  identify  both  the  subject  matter  and  the  performance 
aspects. 

DFAS  Comments 

The  Director,  DFAS  IR,  agreed.  The  Director,  DFAS  IR,  has  issued  a  memorandum 
to  DFAS  IR  personnel  reiterating  the  GAGAS  and  DFAS  IR  Audit  Manual 
requirements  that  the  audit  objectives  identify  both  the  subject  matter  and  the 
performance  aspects. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 

Inconsistencies  in  Reporting  on  Internal  Controls 

GAGAS  7.09  states  that  auditors  should  include  in  the  report  a  description  of  the  audit 
objectives  and  the  scope  and  methodology  used  for  addressing  the  audit  objectives. 
GAGAS  7.11  states  that  auditors  should  describe  the  scope  of  the  work  performed 
and  any  limitations,  including  issues  that  would  be  relevant  to  likely  users,  so  that 
they  could  reasonably  interpret  the  findings,  conclusions,  and  recommendations 
in  the  report  without  being  misled.  The  DFAS  IR  audit  staff  stated  that  "policies, 
procedures,  risks,  and  internal  controls  for  acquisitions  (capitalized  and  non¬ 
capitalized)  ...  for  all  asset  transactions  between  January  1,  2013  and  July  31,  2013" 
would  be  included  as  part  of  the  audit  scope  for  Project  No.  13INPA008.  This  led 
users  of  the  report  to  believe  that  internal  controls  were  included  and  assessed 
during  performance  of  the  audit.  However,  the  report  further  states  that  the  audit 
staff  did  not  assess  internal  controls.  Auditors  should  communicate  the  audit 
objectives,  scope,  and  methodology  in  a  clear,  specific,  and  unambiguous  manner, 
and  the  audit  objectives,  scope,  and  methodology  should  be  consistent  with  content 
throughout  the  report. 
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Recommendations,  Management  Comments,  and 
Our  Response 

Recommendation  8 

We  recommend  that  the  Director,  DFAS  IR,  revise  the  DFAS  IR  Audit  Manual, 
dated  February  28,  2014,  to  include  procedures  to  ensure  consistency  in 
reporting  between  the  audit  objective,  scope  of  audit,  audit  methodology,  and 
other  report  content. 

DFAS  Comments 

The  Director,  DFAS  IR,  agreed  and  will  incorporate  additional  procedures  to  ensure 
consistency  in  reporting  between  the  audit  objectives,  scope,  methodology,  and 
other  report  content  into  Chapter  3  of  the  IR  Audit  Manual. 

Our  Response 

DFAS  comments  are  responsive.  No  additional  comments  are  needed. 
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Summary  of  the  Results  of  Our  Interviews 

We  interviewed  DFAS  IR  staff  members  of  various  organizational  levels  to 
determine  their  knowledge  of  DFAS  IR  audit  policies  and  GAGAS  general,  fieldwork, 
and  reporting  standards.  Table  3  contains  a  summary  of  the  results  of  the 
responses  received. 

Table  3.  Summary  of  Interview  Results 


Areas  Pertaining  to  DFAS  Internal 

Review  Audit  Policies  and  Staff  Responses  to  Questions 

GAGAS  Standards 


Areas  Pertaining  to  DFAS  Internal 
Review  Audit  Policies  and 
GAGAS  Standards 

Staff  Responses  to  Questions 

Awareness  of  DFAS  IR  Audit  Policies 

The  staff  stated  they  were  aware  of  the  audit  policies. 

Compliance  with  GAGAS 

The  staff  stated  that  their  work  complied  with  GAGAS 
standards. 

Independence 

Several  of  the  audit  staff  expressed  concerns  with 
a  potential  independence  impairment  related  to 
a  disagreement  with  DFAS  IR  management.  We 
reviewed  those  concerns  and  determined  that  DFAS 

IR  management  appropriately  documented  the 
disagreement.  However,  based  on  our  review  of 
project  documentation,  we  identified  issues  related  to 
documenting  safeguards  to  eliminate  or  reduce  threats 
to  independence  (see  Appendix  A). 

Competence 

Staff  responses  indicated  that  the  competency 
requirement  was  fulfilled. 

Quality  Control  and  Assurance 

The  staff  members  were  knowledgeable  about  quality 
control  and  assurance  procedures. 

Planning  (Risk  Assessments) 

The  staff  involved  with  planning  stated  that  they 
completed  risk  assessments  for  audits. 

Supervision 

The  staff  stated  that  they  received  or  provided  adequate 
supervision. 

Audit  Documentation 

The  staff  stated  that  the  audit  documentation  was 
adequate. 

Evidence 

The  staff  stated  that  the  evidence  was  adequate. 

Reporting  (Timeliness) 

The  staff  stated  that  the  reports  were  generally  timely. 
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Scope  and  Methodology 

We  reviewed  the  adequacy  of  the  DFAS  IR  audit  organization's  compliance  with 
its  quality  control  policies,  procedures,  and  GAGAS.  In  performing  our  review, 
we  considered  the  requirements  of  quality  control  standards  contained  in  the 
December  2011  Revision  of  GAGAS  issued  by  the  Comptroller  General  of  the 
United  States.  GAGAS  3.96  states: 

The  audit  organization  should  obtain  an  external  peer  review  at 
least  once  every  3  years  that  is  sufficient  in  scope  to  provide  a 
reasonable  basis  for  determining  whether,  for  the  period  under 
review,  the  reviewed  audit  organization's  system  of  quality  control 
was  suitably  designed  and  whether  the  audit  organization  is 
complying  with  its  quality  control  system  in  order  to  provide  the 
audit  organization  with  reasonable  assurance  of  conforming  with 
applicable  professional  standards. 

We  performed  this  review  from  March  2014  to  September  2014  in  accordance  with 
standards  and  guidelines  established  in  the  March  2009,  Updated  November  2012, 
CIGIE  Guide  for  Conducting  External  Peer  Reviews  of  the  Audit  Organizations  of 
Federal  Offices  of  Inspector  General.  We  performed  this  review  in  accordance  with 
the  Quality  Standards  for  Inspections  and  Evaluations.  In  performing  this  review, 
we  assessed,  reviewed,  and  evaluated  audit  documentation,  interviewed  DFAS  IR 
audit  staff,  and  reviewed  DFAS  IR  policies  that  were  published  February  28,  2014, 
June  28,  2013,  and  the  archived  DFAS  IR  Audit  Manual. 

We  judgmentally  selected  8  reports  from  a  universe  of  13  reports  issued  by  the 
DFAS  IR  from  July  1,  2013  through  June  30,  2014.  In  selecting  the  reports,  we 
worked  with  the  DFAS  IR  audit  organization  to  establish  the  universe  of  reports 
that  were  issued  during  the  review  period.  We  then  selected  reports  that  were 
representative  of  the  types  of  reviews  completed.  The  DFAS  IR  did  not  issue  any 
financial  audit  reports  during  the  review  period. 

Table  4  identifies  the  specific  reports  reviewed.  The  Type  of  Review  column 
contains  information  that  was  determined  by  the  report's  GAGAS  compliance 
statement  and/or  the  type  of  review  described  in  the  final  report. 
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Appendix  D 


Table  4.  Reports  Reviewed 


Project  Number 

Audit  Office 

Report  Title  and  Issue  Date 

Type  of  Review 

13INAA005 

Indianapolis 

Defense  Military  Pay  Offices 
Agreed-Upon  Procedures, 

August  27,  2013 

Agreed-Upon 

Procedures 

IN12PRS004DFAS 

Indianapolis 

Death  Gratuity  Payment 
Effectiveness,  October  31,  2013 

Performance 

13INAA012 

Indianapolis 

Account  Management  & 
Provisioning  System  Role-Based 
Access  Control  Packages 
Agreed-Upon  Procedures, 
December  10,  2013 

Agreed-Upon 

Procedures 

13INPA008 

Indianapolis 

Audit  of  l&T  Infrastructure 
Management,  February  10,  2014 

Performance 

CO12PRC010TX 

Columbus 

Audit  of  DFAS  Texarkana 

Vendor  Pay  and  Payroll, 

November  19,  2013 

Performance 

13COPA001 

Columbus 

General  Accounting  and  Finance 
System  E-Adjustments  Audit, 
November  27,  2013 

Performance 

13COPA003 

Columbus 

Centralized  Offset  Program 
(COP)  Audit,  January  7,  2014 

Performance 

CL12PRA009DFAS 

Cleveland 

DFAS  Journal  Voucher  (JV)  2012 
Audit,  January  21,  2014 

Performance 

Our  review  would  not  necessarily  disclose  all  weaknesses  in  the  system  of  quality 
control  or  all  instances  of  noncompliance  because  we  based  our  review  on  selective 
tests.  There  are  inherent  limitations  in  considering  the  potential  effectiveness  of 
any  quality  control  system.  In  performing  most  control  procedures,  departures  can 
result  from  misunderstanding  of  instructions,  mistakes  of  judgment,  carelessness, 
or  other  human  factors.  Projecting  any  evaluation  of  a  quality  control  system 
into  the  future  is  subject  to  the  risk  that  one  or  more  procedures  may  become 
inadequate  because  conditions  may  change  or  the  degree  of  compliance  with 
procedures  may  deteriorate. 
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Management  Comments 

Defense  Finance  and  Accounting  Service  Comments 


□  4800  MARK  CENTER  DRIVE 
ALEXANDRIA,  VA  2235CE30D0 

DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE  ^OV  0  7  2014 

MEMORANDUM  FOR  DEPUTY  INSPECTOR  GENERAL,  AUDIT  POLICY  AND 

OVERSIGHT,  INSPECTOR  GENERA!-.  DEPARTMENT  OE 
DEFENSE 

SUBJECT:  Quality  Control  Review  of  the  Defense  Finance  and  Accounting  Service  (DFAS) 

Internal  Audit  Organisation  (Project  No,  D20 1 4-DAPOCM-Ol  30.000) 

Thank  you  for  the  opportunity'  to  review  and  comment  on  the  peer  review  findings  and 
recommendations.  We  appreciate  you  providing  a  comprehensi  ve  assessment  of  oar  DFAS  Internal 
Review's  (IR)  compliance  with  Generally  Accepted  Government  Auditing  Standards  (GAGAS)  and 
useful  recommendations  to  further  ensure  the  quality  of  their  audit  mission.  Attached  are  our 
comments  to  your  report. 

Please  direct  any  comments  or  questions  regarding  our  response  to  Mr,  Rick  Davis, 

Director,  Internal  Review,  at  (571)  372-5930  or  Mr,  Ed  Romcsburg,  Deputy  Director,  Columbus 
Audit,  at  (614)  701-2330, 


Attachment: 
As  staled 


wwflL  dfss.nnil 

Your  Finan^al  Partner  gj)  Wfl'k 
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Defense  Finance  and  Accounting  Service  Comments 
(cont'd) 


Management  Comments 
on 

Quality  Control  Review  of  the  DFAS  Internal  Audit  Organization  (Project  No.  1)2014- 

DAPOCM-0 130.000) 

The  following  are  our  comments  to  the  8  recommendations  in  the  report: 

1.  We  recommend  that  the  Director,  DFAS: 

a.  Revise  the  DFAS  IR  Audit  Manual  to  provide  required  guidance  on  the  performance 

of  nonaudit  services,  including  the  additional  requirements  in  DoDM  7600.07-M, 
Enclosure  9,  “Conducting  Services”  for  “Other  than  Routine  Nonaudit 

Services.” 

S 

DFAS  Response:  Concur.  DFAS  IR  will  incorporate  the  additional  nonaudit  services 
requirements  from  DoDM  7600.07-M,  Enclosure  9,  “Conducting  Nonaudit  Services"  for 
“Other  than  Routine  Nonaudit  Services"  into  Chapter  2  of  the  IR  Audit  Manual. 

Estimated  completion  date  (ECD):  January  31,  2015 

b.  Maintain  a  list  of  nonaudit  services  performed  along  with  the  time  period  of  the 
service  to  assist  in  making  sound  decisions  on  serv  ices  to  accept. 

DFAS  Response:  Concur.  DFAS  IR  established  a  list  of  nonaudit  services  with  the  time 
period  performed  to  record  and  track  those  services  The  list  of  nonaudit  services  is 
available  for  all  audit  staff  to  review  so  they  acs which  nonaudit  services  DFAS  IR 
performed.  jl 

ECD:  Complete 

2.  We  recommend  that  the  Director,  DFAS: 

a.  Revise  the  DFAS  IR  Audit  Manual  to  include  examples  of  appropriate  w  avs  to 
mitigate,  reduce,  or  eliminate  threats  to  independence. 

DFAS  Response:  Concur.  DFAS  IR  will  incorporate  examples  of  appropriate  ways  to 
mitigate,  reduce,  or  eliminate  threats  to  independence  into  Chapter  1  of  the  IR  Audit 
Manual. 

ECD:  January  31,  2015 
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Defense  Finance  and  Accounting  Service  Comments 
(cont'd) 


b.  Provide  training  on  the  execution  and  implementation  of  the  GAGAS  Conceptual 
Framework  Approach  to  Independence. 

DFAS  Response:  Concur.  DFAS  IR  will  provide  training  to  all  audit  staff  on  the  proper 
execution  and  implementation  of  the  GAGAS  Conceptual  Framework  Approach  to 
Independence. 

ECD:  January  31,  2015 

3.  VVe  recommend  that  the  Director,  DFAS: 

a.  Revise  tfej^AS  IR  Audit  Manual  in  accordance  with  DoDM  7600.07,  Enclosure  13, 
“Audit  D||||||j^tation”  to  include  requirements  for  accessing  and  updating 

audit  doc#^€f)^tion  after  the  final  audit  report  is  issued  w  hether  the  audit 
documentation  is  in  electronic,  or  hardcopy,  or  any  other  media. 

DFAS  Response:  Concur.  DFAS  IR  will  incorporate  the  requirements  for  accessing  and 
updating  audit  documentation  after  the  final  audit  report  is  issued  from  DoDM  7600.07-M, 
Enclosure  13,  “Audit  Documentation”  into  Chapter  1  of  the  IR  Audit  Manual. 

ECD:  January  3 1 ,  20 1 5 

b.  Provide  training  consistent  with  the  requirements  of  DoDM  7600.07,  Enclosure  13, 
“Audit  Documentation”  for  accessing  and  updating  audit  documentation  after  the 
final  audit  report  is  issued. 

DFAS  Response:  Concur.  DFAS  IR  will  provide  training  to  all  audit  staff  on  the 
requirements  for  accessing  and  updating  audit  documentation  after  the  final  audit  report  is 
issued  from  DoDM  7600.07-M,  Enclosure  13,  “Audit  Documentation.” 

ECD:  January  3 1 , 201 5 

4.  VVe  recommend  that  the  Director,  DFAS: 

43L  Revise  the  DFAS  IR  Audit  Manual  to; on  how  to  effectively  develop 
taiptemeis!  risk  assessments.  ivl.* 

I>FAS  Response:  Partially  Concur.  DFAS  IR-wiM the  IR  Audit  Manual  and 
*  determine  whether&ddlfional  procedures  arenecessary  crn  how  to  effectively  develop  and 
implement  audit  risk  assessments.  The  two  audit  examples  the  peer  review  based  the 
finding  on  were  audits  planned  using  a  prior  version  of  the  IR  Audit  Manual  that  had  not  yet 
included  the  latest  DFAS  IR  audit  risk  assessment  procedures.  The  peer  review  did  not 
_  identity  audikrisk  assessment  concerns  for  audits  planned  using  current  risk  assessment 
procedures  in  the  IR  Audit  Manual. 

ECD:  January  31,  2015 
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Defense  Finance  and  Accounting  Service  Comments 
(cont'd) 


b.  Provide  training  on  the  documentation  of  audit  risk. 

DFAS  Response:  Concur.  DFAS  IR  will  provide  training  to  all  audit  staff  on  the  proper 
documentation  of  audit  risk  to  demonstrate  compliance  with  GAGAS  6.07  and  the  DFAS  IR 
Audit  Manual. 

ECD:  January  3 1 , 20 1 5 

5.  We  recommend  that  the  Director,  DFAS: 

a.  Revise  the  DFAS  IR  Audit  Manual,  dated  February  28,  2014,  Chapter  6, 
“Agreed-Upon  Procedures  Attestations,”  to  include  guidance  that  for  any  AUP 
engagement,  the  procedures  agreed  upon  should  include  the  time  necessary  to  assess 
and  report  on  the  procedures. 

DFAS  Response:  Concur.  DFAS  IR  will  incorporate  guidance  that  for  any  AUP 
engagemori4^:j7^^^es  agreed  upon  should  include  the  time  necessary  to  assess  and 
report  on  ^lto  Chapter  6  of  the  IR  Audit  Manual. 


Manual,  dated  February  28,  2014,  Chapter  6, 
“Agreed-Upon  Procedures  Attestations,”  to  provide  additional  guidance  on 
Compliance  Attestation  engagements  and  the  requirement  to  obtain  written 
representations  from  the  responsible  party  in  accordance  with  AT  601.68. 

DFAS  Response:  Concur.  DFAS  IR  will  incorporate  additional  guidance  for  AUP 
Compliance  Attestation  engagements,  and  the  requirement  to  obtain  written  representations 
from  the  responsible  parties  in  accordance  with  AT  601 .68  into  Chapter  6  of  the  IR  Audit 
Manual. 

ECD:  January  3 1 , 20 1 5 

c.  Provide  training  to  all  DFAS  IR  audit  staff  on  performing  and  reporting  on  AUP 
engagements  conducted  in  accordance  w  ith  GAGAS. 

DFAS  Response:  Concur.  DFAS  IR  will  provide  training  to  all  audit  staff  on  properly 
performing  and  reporting  on  AUP  engagements  in  accordance  with  GAGAS  and  the  DFAS 
IR  Audit  Manual. 

ECD:  January  3 1 , 20 1 5 

6.  We  recommend  that  the  Director,  DFAS  IR  issue  a  memorandum  to  DFAS  IR 
personnel  reinforcing  the  GAGAS  and  DFAS  IR  Audit  Manual  requirements  when 
using  the  work  of  others. 


4 


ECD:  Jam^rV 

mV, 


m 


m 


b.  IJpdat^'M^M  Audit 
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Defense  Finance  and  Accounting  Service  Comments 
(cont'd) 


DFAS  Response:  Concur.  The  Director,  DFAS  IR  issued  a  memorandum  to  the  DFAS  IR 
audit  staff  reinforcing  the  GAGAS  and  DFAS  IR  Audit  Manual  requirements  when  using 
die  woric  of  others. 

ECD:  Complete 

7.  We  recommend  that  the  Director,  DFAS  IR,  issue  a  memorandum  to  DFAS  IR 
personnel  reiterating  the  GAGAS  and  DFAS  IR  Audit  Manual  requirements  that  the 
audit  objectives  identify  both  the  subject  matter  and  the  performance  aspects. 

DFAS  Response:  Concur.  The  Director,  DFAS  IR  issued  a  memorandum  to  the  DFAS  IR 
audit  staff  reiterating  the  GAGAS  and  DFAS  IR  Audit  Manual  requirements  that  the  audit 
objectives  identify  both  the  subject  matter  and  the  performance  aspects. 

ECD:  Complete 

8.  We  recommend  that  the  Director,  DFAS  IR,  revise  the  DFAS  IR  Audit  Manual,  dated 
February  28,  2014,  to  include  procedures  to  ensure  consistency  in  reporting  between 
the  audit  objective,  scope  of  audit,  audit  methodology,  and  other  report  content. 

DFAS  Response:  Concur.  DFAS  IR  will  incorporate  additional  procedures  to  ensure 
consistency  in  reporting  between  the  audit  objectives,  scope,  and  methodology,  and  other 
report  content  into  Chapter  3  of  the  IR  Audit  Manual. 

ECD:  January  3 1 , 20 1 5 
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Whistleblower  Protection 
U.S.  Department  of  Defense 


The  Whistleblower  Protection  Enhancement  Act  of  2012  requires 
the  Inspector  General  to  designate  a  Whistleblower  Protection 
Ombudsman  to  educate  agency  employees  about  prohibitions 
on  retaliation,  and  rights  and  remedies  against  retaliation  for 
protected  disclosures.  The  designated  ombudsman  is  the  DoD  Hotline 
Director.  For  more  information  on  your  rights  and  remedies  against 
retaliation,  visit  www.dodig.mil/programs/whistleblower. 


For  more  information  about  DoD  IG 
reports  or  activities,  please  contact  us: 

Congressional  Liaison 

congressional@dodig.mil;  703.604.8324 

Media  Contact 

public.affairs@dodig.mil;  703.604.8324 

Monthly  Update 

dodigconnect-request@listserve.com 

Reports  Mailing  List 

dodig_report@listserve.com 

Twitter 

twitter.com/DoD_IG 

DoD  Hotline 

dodig.mil/hotline 


DEPARTMENT  OF  DEFENSE  |  INSPECTO 

4800  Mark  Center  Drive 
Alexandria,  VA  22350-1500 
www.dodig.mil 

Defense  Hotline  1.800.424.9098 


